TIV: A Toolset for Interactive Verification of Basic LOTOS Specifications
|
|
- Gabriel Allison
- 5 years ago
- Views:
Transcription
1 TIV: A Toolset for Interactive Verification of Basic LOTOS Specifications Cheoljoo Jeong Kangho Kim Youngchan Kim Yeondae Chung Systems Engineering Research Institute Taejon, , Korea {cjeong,khkim,yckim,chung}@eagles.seri.re.kr Abstract LOTOS is a formal description language designed for the specification of communication protocols and concurrent systems. In this paper we introduce a toolset for the verification of Basic LOTOS specifications, currently under development at Systems Engineering Research Institute in Korea. Our toolset supports model generation, bisimilarity checking, model checking, and graphical display of models. In addition, they support interactive manipulation of Basic LOTOS specifications and their models through the use of a proof language called PAL (Proof Assistant Language). 1. Introduction Compared to the traditional system development methodologies like structured methods or objectoriented methods, formal description techniques allow us to verify the specified systems with mathematical rigor [14]. This is due to the fact that they usually provide formal description languages with mathematically sound semantics and the verification is carried out based on the semantic models of the specifications. In this paper we present a verification toolset, TIV (Tool for Interactive Verification), for Basic LOTOS specifications which enables us to verify the properties like consistency, safety, liveness, and reachability in the specified system. Through TIV, users can generate the models of Basic LOTOS specifications, check bisimulation equivalence between Basic LOTOS specifications, This research was partly supported by Ministry of Information and Communication, Korea, under contract no. N22032 perform model checking in modal µ-calculus, see the graphical output of models of Basic LO- TOS specifications, modify the Basic LOTOS specifications, and give queries on the models of Basic LOTOS specifications. TIV is a part of a LOTOS-based development environment called FORTIA, which supports syntaxdirected editing, simulation, verification, code generation, and testing of LOTOS specifications, currently under development at Systems Engineering Research Institute in Korea. In addition to the above functionalities, FORTIA supports partial mapping from OMT specifications to LOTOS specifications and automated guidance to write LOTOS specifications in objectoriented style. The formal description language LOTOS (Language of Temporal Ordering Specifications) was developed to define implementation-independent formal standards of ISO OSI services and protocols [9]. Along with SDL and Estelle, LOTOS was proved to be useful in specifying communication protocols, distributed systems, and concurrent systems. As the name LOTOS implies, this specification language allows us to model systems by specifying the temporal orderings of events. For example, Figure 1 shows a LOTOS specification process VM[10c,20c,Tea,Coffee]: noexit := 10c;Tea;VM[10c,20c,Tea,Coffee] [] 20c;Coffee;VM[10c,20c,Tea,Coffee] endproc (* VM *) Figure 1. LOTOS specification for a simple vending machine
2 for a very simple vending machine. VM system specifies the orderings of relevant events 10c, 20c, Tea, and Coffee. In this specification, event Coffee can occur only after 20c and event Tea can occur only after 10c. LOTOS consists of two parts: the first part is based on process algebras like CCS [12] and CSP [8], and the second part is based on algebraic specification language ACT ONE [4]. The former part is called Basic LOTOS and is used to specify the behavior of the system to be modeled. And the latter part is used to specify the abstract data types used in the system. The two parts altogether are called Full LOTOS. TIV supports verification of specifications written only in Basic LOTOS. In our project, a verification toolset for the verification of LOTOS abstract data types are also under development and will be combined with TIV by the end of There are several tools supporting verification of LOTOS specifications: Lite toolset [7], CADP toolset [6], and so on. In designing TIV, we have adopted the interactive verification model of Concurrency Workbench [2] or Concurrency Factory instead of above tools since interactivity and flexibility were what we have aimed at in developing of our toolset. For this purpose, TIV provides a proof language, called PAL (Proof Assistant Language), to assist users in carrying out verifications. PAL includes constructs for specifying CCS-like process expressions, µ-calculus formulas and numerous library functions to help users to get information on the specifications. Additionally, TIV provides a versatile graphical display which shows the current model of the processes 1, the results of bisimulation equivalence checking, the results of model checking, and other useful information. The organization of this paper is as follows. In section 2 we present overview of our toolset and in section 3 we present syntax, semantics, and usage of our verification language, PAL. In section 4, we present some verification techniques used in our toolset. In section 5, we present conclusions and our further research directions. 2. Overview of TIV 2.1. Three modules of TIV TIV consists of three modules: model generator module, model verification module, and graphical display module. 1 Throughout the paper, the terms specifications, processes, and process expressions will be used interchangeably. Model generator module The semantic model of a Basic LOTOS specification is the labeled transition system (LTS), which is defined to be a 4-tuple (S, A,, s 0 ), where S is a set of states, A is a set of actions (or events), S A S is a transition relation, and s 0 S is a start state. Figure 2 shows the model of the specification given in Figure 1. Tea A 10c 20c B C Coffee Figure 2. Semantic model (LTS) of Figure 1 Model generation module supports the generation of LTS s as semantic models of Basic LOTOS specifications. In fact, this module accepts PAL expressions as its input. PAL (Proof Assistant Language) is a language designed to support interactive verification of Basic LOTOS processes. PAL will be discussed in detail in section 3. Model generator module generates a minimized LTS. A minimized LTS of an LTS T is defined to be an LTS that is bisimulation equivalent to T with minimum number of states. This minimization procedure enhances the performance of bisimilarity checking and model checking algorithms. Model verification module Model verification module supports bisimilarity checking and model checking of LTS s. Given two specifications, S 1 and S 2, we may want to prove that S 1 has exactly the same behavior as S 2, or S 2 has at least the behavior of S 1. To prove the former we need some equivalence relations on the set of LTS s and we need some preorder relations to prove the latter. Bisimilarity is the most widely accepted equivalence relation that has been proposed as behavioral equivalence. Model verification module provides several equivalence and preorder checking facilities including strong (weak) bisimulation equivalence checking, strong (weak) preorder checking, ready simulation equivalence checking, simulation equivalence checking, and so on. Model checking let users prove whether some properties hold of each state or state transition of the system. TIV supports model checking in modal µ- calculus. Modal µ-calculus [11], which is an extension of Hennessy-Milner logic, is a powerful modal logic that provides greatest and least fixed point operators. We can express various properties such as safety,
3 liveness, and reachability in µ-calculus. For example, property Y will eventually satisfied is represented by the formula µx.y τ X and [10c]( Tea tt [Coffee]ff) denotes that after inserting 10c we can get Tea but cannot get Coffee. Graphical display module Graphical display module shows the current model in a visual manner. If user modifies the current process, the model generator module evaluates the new process, sends the model to the graphical display module, and the new model is shown in the graphic window. Users can see the location of a specific state or transition in a window by invoking appropriate function. It also shows the result of verification. After the model checking function is invoked, the states that satisfy the given µ-calculus formula are highlighted to show the result of model checking Data flow model of TIV TIV accepts Basic LOTOS specifications as its input. There are two ways to provide input specification to TIV: one is through the invocation of TIV from the LOTOS editor and the other is through typing PAL expressions directly in TIV. In the former case, since TIV cannot understand Basic LOTOS specifications but only PAL expression, the specification is translated into PAL expressions. PAL expressions are evaluated to LTS s by model generation module and these LTS s are used by bisimilarity checker and model checker. Model checker also needs µ-calculus formulas given by the user. Basic LOTOS spec(s) Transform PAL expr(s) PAL expr(s) Model Generation LTS s LTS Bisimilarity Check Model Check Figure 3. Data flows in TIV µ-calculus formula > process P = 10c.tea.P; - P : process > process Q = 20c.B; - Q : process > process X = P Q; - X : process > process B = coffee.q; - B : process > sbisimilar(p, Q); - false; > formula f = [10c](<tea>tt * [coffee]ff); - F: formula > model_check(x, f); - true > aset A = action(x); - A = {10c, 20c, coffee, tea}: aset; Figure 4. Sample session of TIV execution 3. PAL Interpreter (Model Generator) PAL (Proof Assistant Language) is a kind of interpreted language designed for interactive verification procedure and the use of PAL has the following advantages. 1. PAL allows flexible reuse of previously defined process expressions and µ-calculus formulas. Since, each expression can be bound to a name, these can be used later though this name. In Figure 4, process X was defined using processes P and Q. 2. Using PAL saves typing efforts of users. Since LOTOS is a kind of compiled language with type checking, there are non-essential constructs for the specification. In PAL, we can type more brief expressions than using Basic LOTOS. For example, Basic LOTOS specification in Figure 1 is represented as the following PAL expression. process VM = 10c.Tea.VM + 20c.Coffee.VM; 3. PAL interpreter can generate the models of process expressions efficiently based on the denotational semantics of PAL process expressions. If a process Q is defined using previously defined expressions {P i }, PAL interpreter uses the already constructed models of {P i } to generate the model of Q. 4. Using PAL function commands, users can define user-defined functions. Function
4 PrintSymDiff returns the symmetric difference of the action sets of two non-bisimilar processes. fun PrintSymDiff(process A, process B): aset = if (not sbisimlar(a, B)) cup(setminus(sort(a),sort(b)), setminus(sort(b), sort(a))) else EmptySet 5. PAL provides various library functions to get information on the models of specifications. Using these functions, users can manipulate and give queries on the LTS s. 6. PAL is a typed language and type checking procedure helps users prevent unexpected errors in programs. TIV contains an interpreter for PAL which reads a PAL command, evaluates it, and prints the result of evaluation Syntax of PAL The syntax of PAL (Figure 5) can be decomposed largely into two classes: the class of expressions and the class of commands. PAL expressions There are four kinds of PAL expressions. The most important expressions are process expressions (E) which are used to specify the processes. These expressions are evaluated to LTS s. The syntax of process expressions are very similar to that of CCS expressions without value passing. The only difference is the introduction of exit ([>) operator, which is a Basic LOTOS operator. This operator, in fact, does not add any additional expressive power to the algebra and can be seen as a syntactic sugar. The next important expressions are formula expressions (F ) to specify the property we want to prove though model checking. These expressions are evaluated to a set of states of the LTS that satisfy the formula. Boolean expressions (B) and arithmetic expressions (N) are similar to those commonly encountered in programming languages. PAL commands There are four kinds of commands in PAL. Sequences are of the form C 1 ; C 2, where C i are commands and this means that C 1 is evaluated first and C 2 is evaluated after that. Variable declarations are of the form type id = expr and this means that expr is evaluated to a value of type type and then the value is bound to the name id. Conditionals have the same semantics as those commonly encountered in functional languages like ML or Scheme. Finally, function declarations are of the form fun id(args) : type = expr, which means that a new function with args as its formal parameter and expr of type type as its body is bound to the name id. Variable declarations and function declarations are the only commands in PAL that modifies the environment of PAL interpreter Semantics of PAL expressions In this section, we give denotational semantics of process expressions and formula expressions, which were used to implement our PAL interpreter. Semantics of process expressions Figure 6 shows the semantics of process expressions, which is a labeled transition system. This semantics show how to construct an LTS, when semantics of the subexpressions are given (Given that L is the set of all LTS s, e : I L is an environment and ran(e) is the range of e. In the semantics of E 1 E 2, the operator T1 needs some explanation. Given two labeled transition systems, L 1 = (S 1, A 1, 1, s 1 ) L 2 = (S 2, A 2, 2, s 2 ), and T i = {(s, a, s ) S i (A 1 A 2 ) S i }, L 1 T1 L 2 denotes the set of labeled transition systems that can be obtained by identifying 1) s and s, 2) one a-derivative 2 of s and one a-derivative of s, and 3) two transitions (s, a, t) and (s, a, t ). As mentioned above, this denotational semantics can be used to generate the models of PAL process expressions. Semantics of formula expressions The meaning of a µ-calculus formula Φ, [Φ], which is determined with respect to an LTS is the set of states that satisfy Φ [5, 3]. [Φ] : Φ 2 S depends on a specific LTS (S, A,, s) and an environment e : I 2 S maps each identifiers to a subset of S, where I is the set of identifiers of type formula. The semantics of formula expressions are given in Figure 7. In the figure, e[x S] denotes the environment that agrees with e on all variables except X, which is bound to S. As you will see later, the semantics of formula expressions plays a central role in the model checking algorithm we use. 2 a-derivative of a state s is defined to be the set of states that can be reached from s through a transition labeled with a, i.e., {s s a s }.
5 id Identifier int Integer bool {true, false} formula {tt, ff} type {process, aset, action, formula, boolean, int} E ::= id stop id.e E E E + E E E E \ id E [> E (E) F ::= id formula F F F F [id]f id F mu(id, F ) nu(id, F ) (F ) B ::= id bool B and B B or B not B N < N N = N (B) N ::= id num N + N N N N N N/N N (N) arg ::= id : type args ::= arg arg, args ɛ expr ::= E F B N command ::= command; command type id = expr if B then C else C fi fun id(args) : type = expr Figure 5. Lexical categories and abstract syntax of PAL [stop]e = ({s},,, s) (! (S, A,, s 0 ) ran(e))[s S] [a.e ]e = (S {t}, A {a}, (t, a, s 0 ), t) where [E ]e = (S, A,, s 0 ) [E 1.E 2 ]e = (S 1 S 2, A 1 A 2 {τ}, 1 2 {(s, τ, s 2 ) s S 1 ( t S 1 )( a A 1 )[(s, a, t) 1 ]}, s 1 ) where [E i ]e = (S i, A i, i, s i ) [E 1 + E 2 ]e = (S 1 S 2 {s}, A 1 A 2 {τ}, 1 2 {(s, τ, s 1 ), (s, τ, s 2 )}, s) where [E i ]e = (S i, A i, i, s i ) [E 1 E 2 ]e = (S 1 S 2, A 1 A 2 {τ}, T 1 T 2, (s 1, s 2 )) where [E i ]e = (S i, A i, i, s i ), T 1 = {(s, t) a (s, t ) (s a s t = t ( t S 2 )[t a t ]) (t a t s = s ( s S 1 )[s a s ])}, and {(s, t) τ (s, t ) s a s t a t } [E \ a]e = (S S, A {a}, {(s, a, s ) s, s S} {(s, b, s ) a b ( s S )[s a s s b s ]}, s 0 ) where [E ]e = (S, A,, s 0 ) and S = {s S ( s)[s a s ]} [E 1 [> E 2 ] = (S 1 S 2 {s}, A 1 A 2 {τ}, 1 2 {(s, τ, s 2 ) s S 1 }, s 1 ) where [E i ] = (S i, A i, i, s i ) Figure 6. Semantics of process expressions
6 [tt]e = S [ff]e = [id]e = e(id) [Φ 1 Φ 2 ]e = [Φ 1 ]e [Φ 2 ]e [Φ 1 Φ 2 ]e = [Φ 1 ]e [Φ 2 ]e [[a]φ]e = {s ( s )[(s a s ) (s [Φ]e)]} [ a Φ]e = {s ( s )[(s a s ) (s [Φ]e)]} [mu(x, Φ)]e = {S S [Φ]e[X S ] S } [nu(x, Φ)]e = {S S S [Φ]e[X S ]} Figure 7. Semantics of formula expressions 4. Model Verification Tools 4.1. Bisimulation checker A lot of equivalence relations have been proposed as behavioral equivalences. Among them, one of the most notable relations is (strong) bisimulation equivalence proposed by Milner [12], which is defined as follows. Definition 1 Given an LTS (S, A,, s 0 ), binary relation R S S is a bisimulation if for all a A, (P, Q) R implies, 1. if P a P, then there exists Q such that Q a Q and (P, Q ) R, and 2. if Q a Q, then there exists P such that P a P and (P, Q ) R. When (P, Q) R, P and Q are said to be bisimilar and this is denoted by P Q. Intuitively, P and Q are bisimilar means that if P has a-transition for some action a (or P can observe action a), then Q also has a-transition and P and Q can transit to bisimilar states through a-transition. If the model of the Basic LOTOS specification is finite, the bisimilarity checking problem is reduced to the relational coarsest partition problem [10]: given a partition P of a set U and a binary relation E on U, find the coarsest refinement Q of P such that for each pair of blocks B 1, B 2 of Q, either B 1 E 1 (B 2 ) or B 1 E 1 (B 2 ) =. Kanellakis and Smolka [10] has devised an algorithm that solves the relational coarsest partition problem in O(mn) time (n is the number of states and m is the number of transitions) and Paige and Tarjan [13] has given a O(m log n)-time algorithm for the same problem. TIV uses the Kanellakis-Smolka algorithm to decide the bisimilarity, and these equivalence/preorder checking facilities are provided through a series of library functions. When the two specifications are bisimulation inequivalent, we can devise a Hennessy-Milner logical formula that distinguishes the specifications using Cleaveland s algorithm [1]. This formula distinguishes the two inequivalent specifications in the sense that it is satisfied by one but not satisfied by the other. When the input LTS s are not bisimilar, TIV outputs a µ-calculus formula that distinguishes the start states of two LTS s Model checker As it may be clear from the semantics of µ-calculus formulas, when the LTS of discourse is finite, the model checking problem can be seen as the following set membership problem. Model Checking Problem: Given a µ-calculus formula Φ and and LTS (S, A,, s 0 ), determine if s 0 [Φ]. TIV uses the model checking algorithm of Cleaveland and Steffen [3]. Their algorithm requires that the input formula has at most one alternation of least and greatest fixed operators. In the paper, it is claimed that this is not a severe restriction on the class of properties we can describe. 5. Conclusion In this paper, we have described a toolset, TIV (Toolset of Interactive Verification), for interactive verification of Basic LOTOS specifications. TIV supports model generation, bisimilarity checking, model checking, and graphical display of models. TIV includes a PAL (Proof Assistant Language) interpreter which enables interactive and flexible manipulation and verification of specifications. Two major research directions that we have in mind are as follows: Verification of Full LOTOS specifications Most verification problems are known to be either PSPACE-hard or EXPTIME-complete when it comes to the verification of Full LOTOS specification that involves value passing. We are seeking for efficient algorithms that partially solves these problems.
7 Verification of infinite state systems TIV supports verification of specifications that have finite models. Active research on infinite-state system verification are in progress in the concurrency theory community. We are going to adopt the results to our toolset. References [1] R. Cleaveland. On automatically distinguishing inequivalent processes. In Proceedings of 1990 Workshop on Computer-Aided Verification, number 531 in Lecture Notes in Computer Science, pages Springer-Verlag, [2] R. Cleaveland, J. Parrow, and B. Steffen. The concurrency workbench. In J. Sifakis, editor, Proceedings of the International Workshop on Automatic Verficiation Methods for Finite State Systems, number 407 in Lecture Notes in Computer Science, pages Springer-Verlag, [3] R. Cleaveland and B. Steffan. A linear-time model checking algorithm for the alternation-free modal mu-calculus. Formal Methods in System Design, 2: , [9] ISO8807. Information processing systems open systems interconnection LOTOS a formal description technique based on the temporal ordering of observational behavior. ISO 8807: 1989 (E), February [10] P. C. Kanellakis and S. A. Smolka. CCS expressions, finite state processes, and three problems of equivalence. In Proceedings of the 2nd ACM Symposium on Principles of Distributed Computing, pages , [11] D. Kozen. Results on the propositional mucalculus. Theoretical Computer Science, 27: , [12] R. Milner. Communication and Concurrency. Prentice-Hall, Englewood Cliffs, NJ, [13] R. Paige and R. E. Tarjan. Three partition refinement algorithms. SIAM Journal on Computing, 16(6): , December [14] J. M. Wing. A specifier s introduction to formal methods. IEEE Computer, pages 8 24, September [4] H. Ehrig and B. Mahr. Fundamentals of Algebraic Specification 1: Equations and Initial Semantics, volume 6 of EATCS Monographs on Theoretical Computer Science. Springer-Verlag, New York, NY, [5] E. A. Emerson and C. Lei. Model checking in the propositional mu-calculus. Technical Report TR , Department of Computer Science, University of Texas at Austin, Austin, TX, [6] J. Fernandez, H. Garavel, A. Kerbrat, R. Mateescu, L. Mounier, and M. Sighireanu. CADP (Cæsar/Aldebaran Development Package): A protocol validation and verification toolbox. In Rajeev Alur and Thomas A. Henzinger, editors, Proceedings of the 8th Conference on Computer- Aided Verification, August [7] S. Gnesi, E. Madelaine, and G. Ristori. An exercise in protocol verification. In T. Bolognesi et al., editor, LOTOSphere: Software Development with LOTOS, chapter 13, pages Kluwer Academic Publishers, [8] C. A. R. Hoare. Communicating Sequential Processes. Prentice-Hall International, Hertfordshire, 1985.
Proving the Correctness of Distributed Algorithms using TLA
Proving the Correctness of Distributed Algorithms using TLA Khushboo Kanjani, khush@cs.tamu.edu, Texas A & M University 11 May 2007 Abstract This work is a summary of the Temporal Logic of Actions(TLA)
More information40 Behaviour Compatibility
40 Behaviour Compatibility [2] R. De Nicola, Extentional Equivalences for Transition Systems, Acta Informatica, vol. 24, pp. 21-237, 1987. [3] J. Gray, Notes on Data Base Operating Systems, in Operating
More informationCourse Modelling of Concurrent Systems Summer Semester 2016 University of Duisburg-Essen
Course Modelling of Concurrent Systems Summer Semester 2016 University of Duisburg-Essen Harsh Beohar LF 265, harsh.beohar@uni-due.de Harsh Beohar Course Modelling of Concurrent Systems 1 Course handler
More informationAn Algebraic Framework for Optimizing Parallel Programs
An Algebraic Framework for Optimizing Parallel Programs Ichiro Satoh Department of Information Sciences, Ochanomizu University 2-1-1 Otsuka Bunkyo-ku Tokyo 112, Japan ichiro@is.ocha.ac.jp Abstract This
More informationRule Formats for Nominal Modal Transition Systems
Rule Formats for Nominal Modal Transition Systems Anke Stüber Universitet Uppsala, Uppsala, Sweden anke.stuber@it.uu.se Abstract. Modal transition systems are specification languages that allow the expression
More informationRance Cleaveland The Concurrency Factory is an integrated toolset for specication, simulation,
The Concurrency Factory Software Development Environment Rance Cleaveland (rance@csc.ncsu.edu) Philip M. Lewis (pml@cs.sunysb.edu) y Scott A. Smolka (sas@cs.sunysb.edu) y Oleg Sokolsky (oleg@ccc.com) y
More informationCourse Modelling of Concurrent Systems Summer Semester 2016 University of Duisburg-Essen
Course Modelling of Concurrent Systems Summer Semester 2016 University of Duisburg-Essen Harsh Beohar LF 265, harsh.beohar@uni-due.de Harsh Beohar Course Modelling of Concurrent Systems 1 Course handler
More informationCOMP 763. Eugene Syriani. Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science. McGill University
Eugene Syriani Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science McGill University 1 OVERVIEW In the context In Theory: Timed Automata The language: Definitions and Semantics
More informationOn the Verification of Coordination
On the Verification of Coordination Paul Dechering 1 and Izak van Langevelde 2 1 Hollandse Signaalapparaten B.V. P.O. Box 42, 7550 GD Hengelo, The Netherlands paul@dechering.net 2 Centrum voor Wiskunde
More informationCMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics
Recall Architecture of Compilers, Interpreters CMSC 330: Organization of Programming Languages Source Scanner Parser Static Analyzer Operational Semantics Intermediate Representation Front End Back End
More informationLecture Notes on Program Equivalence
Lecture Notes on Program Equivalence 15-312: Foundations of Programming Languages Frank Pfenning Lecture 24 November 30, 2004 When are two programs equal? Without much reflection one might say that two
More informationBehavioural Equivalences and Abstraction Techniques. Natalia Sidorova
Behavioural Equivalences and Abstraction Techniques Natalia Sidorova Part 1: Behavioural Equivalences p. p. The elevator example once more How to compare this elevator model with some other? The cabin
More information2 after reception of a message from the sender, do one of two things: either the message is delivered to the receiver, or it is lost. The loss of a me
Protocol Verification using UPPAAL: Exercises? Lab assistant: Alexandre David Department of Computer Systems (room 1237, mailbox 26), Uppsala University, Box 325, S751 05, Uppsala. Phone: 018-18 73 41.
More informationGeneric tools for verifying concurrent systems
Science of Computer Programming 42 (2002) 39 47 www.elsevier.com/locate/scico Generic tools for verifying concurrent systems Rance Cleaveland a;, Steven T. Sims b a Department of Computer Science, SUNY
More informationTruth A verification platform for concurrent systems
Truth A verification platform for concurrent systems Martin Lange, Martin Leucker, Thomas Noll, Stephan Tobies Abstract. We briefly explain the design and implementation of the newly developed tool Truth
More informationLecture Notes on Real-world SMT
15-414: Bug Catching: Automated Program Verification Lecture Notes on Real-world SMT Matt Fredrikson Ruben Martins Carnegie Mellon University Lecture 15 1 Introduction In the previous lecture we studied
More informationLecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213
Lecture: Symbolic Model Checking with BDDs Edmund M Clarke, Jr Computer Science Department Carnegie Mellon University Pittsburgh, PA 523 Temporal Logic Model Checking Specification Language: A propositional
More information7. Introduction to Denotational Semantics. Oscar Nierstrasz
7. Introduction to Denotational Semantics Oscar Nierstrasz Roadmap > Syntax and Semantics > Semantics of Expressions > Semantics of Assignment > Other Issues References > D. A. Schmidt, Denotational Semantics,
More informationCS 242. Fundamentals. Reading: See last slide
CS 242 Fundamentals Reading: See last slide Syntax and Semantics of Programs Syntax The symbols used to write a program Semantics The actions that occur when a program is executed Programming language
More informationExtracting the Range of cps from Affine Typing
Extracting the Range of cps from Affine Typing Extended Abstract Josh Berdine, Peter W. O Hearn Queen Mary, University of London {berdine, ohearn}@dcs.qmul.ac.uk Hayo Thielecke The University of Birmingham
More informationDistributed Systems Programming (F21DS1) Formal Verification
Distributed Systems Programming (F21DS1) Formal Verification Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Focus on
More informationCSCI-GA Scripting Languages
CSCI-GA.3033.003 Scripting Languages 12/02/2013 OCaml 1 Acknowledgement The material on these slides is based on notes provided by Dexter Kozen. 2 About OCaml A functional programming language All computation
More informationNote that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.
CS 6110 S18 Lecture 8 Structural Operational Semantics and IMP Today we introduce a very simple imperative language, IMP, along with two systems of rules for evaluation called small-step and big-step semantics.
More informationCITS5501 Software Testing and Quality Assurance Formal methods
CITS5501 Software Testing and Quality Assurance Formal methods Unit coordinator: Arran Stewart May 1, 2018 1 / 49 Sources Pressman, R., Software Engineering: A Practitioner s Approach, McGraw-Hill, 2005
More informationLeveraging DTrace for runtime verification
Leveraging DTrace for runtime verification Carl Martin Rosenberg June 7th, 2016 Department of Informatics, University of Oslo Context: Runtime verification Desired properties System Every request gets
More informationPart II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?
Part II. Hoare Logic and Program Verification Part II. Hoare Logic and Program Verification Dilian Gurov Props: Models: Specs: Method: Tool: safety of data manipulation source code logic assertions Hoare
More informationEquations for Asynchronous Message Passing
Equations for Asynchronous Message Passing Ludwik Czaja 1,2 1 Institute of Informatics, The University of Warsaw 2 University of Economics and Computer Science Vistula in Warsaw lczaja@mimuw.edu.pl 1 Introduction
More information3.7 Denotational Semantics
3.7 Denotational Semantics Denotational semantics, also known as fixed-point semantics, associates to each programming language construct a well-defined and rigorously understood mathematical object. These
More informationThe design of a programming language for provably correct programs: success and failure
The design of a programming language for provably correct programs: success and failure Don Sannella Laboratory for Foundations of Computer Science School of Informatics, University of Edinburgh http://homepages.inf.ed.ac.uk/dts
More informationFormal Verification. Lecture 10
Formal Verification Lecture 10 Formal Verification Formal verification relies on Descriptions of the properties or requirements of interest Descriptions of systems to be analyzed, and rely on underlying
More information1 Introduction. 3 Syntax
CS 6110 S18 Lecture 19 Typed λ-calculus 1 Introduction Type checking is a lightweight technique for proving simple properties of programs. Unlike theorem-proving techniques based on axiomatic semantics,
More informationA First-Order Logic with First-Class Types
A First-Order Logic with First-Class Types joint work with Peter H. Schmitt and Mattias Ulbrich Institute for Theoretical Computer Science The 8th KeY Symposium, Speyer, 2009 Java Card DL modal logic based
More informationIntroduction to Formal Methods
2008 Spring Software Special Development 1 Introduction to Formal Methods Part I : Formal Specification i JUNBEOM YOO jbyoo@knokuk.ac.kr Reference AS Specifier s Introduction to Formal lmethods Jeannette
More informationSemantics via Syntax. f (4) = if define f (x) =2 x + 55.
1 Semantics via Syntax The specification of a programming language starts with its syntax. As every programmer knows, the syntax of a language comes in the shape of a variant of a BNF (Backus-Naur Form)
More informationApplication: Programming Language Semantics
Chapter 8 Application: Programming Language Semantics Prof. Dr. K. Madlener: Specification and Verification in Higher Order Logic 527 Introduction to Programming Language Semantics Programming Language
More informationSemantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics
There is no single widely acceptable notation or formalism for describing semantics Operational Describe the meaning of a program by executing its statements on a machine, either simulated or actual. The
More informationaxiomatic semantics involving logical rules for deriving relations between preconditions and postconditions.
CS 6110 S18 Lecture 18 Denotational Semantics 1 What is Denotational Semantics? So far we have looked at operational semantics involving rules for state transitions, definitional semantics involving translations
More informationA Boolean Expression. Reachability Analysis or Bisimulation. Equation Solver. Boolean. equations.
A Framework for Embedded Real-time System Design? Jin-Young Choi 1, Hee-Hwan Kwak 2, and Insup Lee 2 1 Department of Computer Science and Engineering, Korea Univerity choi@formal.korea.ac.kr 2 Department
More informationProgramming Languages Third Edition
Programming Languages Third Edition Chapter 12 Formal Semantics Objectives Become familiar with a sample small language for the purpose of semantic specification Understand operational semantics Understand
More information1. true / false By a compiler we mean a program that translates to code that will run natively on some machine.
1. true / false By a compiler we mean a program that translates to code that will run natively on some machine. 2. true / false ML can be compiled. 3. true / false FORTRAN can reasonably be considered
More informationImplementing Software Connectors through First-Class Methods
Implementing Software Connectors through First-Class Methods Cheoljoo Jeong and Sangduck Lee Computer & Software Technology Laboratory Electronics and Telecommunications Research Institute Taejon, 305-350,
More informationLecture 11 Lecture 11 Nov 5, 2014
Formal Verification/Methods Lecture 11 Lecture 11 Nov 5, 2014 Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems to be analyzed, and
More informationRelational Database: The Relational Data Model; Operations on Database Relations
Relational Database: The Relational Data Model; Operations on Database Relations Greg Plaxton Theory in Programming Practice, Spring 2005 Department of Computer Science University of Texas at Austin Overview
More informationSPECIFICATION AND VERIFICATION OF A DYNAMIC RECONFIGURATION PROTOCOL FOR AGENT-BASED APPLICATIONS
SPECIFICATION AND VERIFICATION OF A DYNAMIC RECONFIGURATION PROTOCOL FOR AGENT-BASED APPLICATIONS Manuel Aguilar Cornejo *, Hubert Garavel, Radu Mateescu, and Noël de Palma INRIA Rhône-Alpes, 655, avenue
More informationTo be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 Introduction SDN research directions as outlined in IRTF RG outlines i) need for more flexibility and programmability
More informationerics: A Tool for Verifying Timed Automata and Estelle Specifications
erics: A Tool for Verifying Timed Automata and Estelle Specifications Piotr Dembiński, Agata Janowska, Pawe l Janowski, Wojciech Penczek,5, Agata Pó lrola, Maciej Szreter,Bożena Woźna 4, and Andrzej Zbrzezny
More informationApplication of Equivalence Checking in a Loan Origination Process in Banking Industry
2013 Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises Application of Equivalence Checking in a Loan Origination Process in Banking Industry Antonella Santone Dipartimento
More informationProgramming Languages
CSE 230: Winter 2008 Principles of Programming Languages Ocaml/HW #3 Q-A Session Push deadline = Mar 10 Session Mon 3pm? Lecture 15: Type Systems Ranjit Jhala UC San Diego Why Typed Languages? Development
More informationPropositional Calculus: Boolean Algebra and Simplification. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson
Propositional Calculus: Boolean Algebra and Simplification CS 270: Mathematical Foundations of Computer Science Jeremy Johnson Propositional Calculus Topics Motivation: Simplifying Conditional Expressions
More informationPrinciples of Programming Languages
Principles of Programming Languages www.cs.bgu.ac.il/~ppl172 Collaboration and Management Dana Fisman Lesson 2 - Types with TypeScript 1 Types What are types in programming languages? What types are you
More informationLOGIC AND DISCRETE MATHEMATICS
LOGIC AND DISCRETE MATHEMATICS A Computer Science Perspective WINFRIED KARL GRASSMANN Department of Computer Science University of Saskatchewan JEAN-PAUL TREMBLAY Department of Computer Science University
More informationModel Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12
Model Checking mc Revision:.2 Model Checking for Infinite Systems mc 2 Revision:.2 check algorithmically temporal / sequential properties fixpoint algorithms with symbolic representations: systems are
More informationCom S 541. Programming Languages I
Programming Languages I Lecturer: TA: Markus Lumpe Department of Computer Science 113 Atanasoff Hall http://www.cs.iastate.edu/~lumpe/coms541.html TR 12:40-2, W 5 Pramod Bhanu Rama Rao Office hours: TR
More informationPrinciples of Programming Languages
Principles of Programming Languages Lesson 14 Type Checking Collaboration and Management Dana Fisman www.cs.bgu.ac.il/~ppl172 1 Type Checking We return to the issue of type safety we discussed informally,
More informationLECTURE 16. Functional Programming
LECTURE 16 Functional Programming WHAT IS FUNCTIONAL PROGRAMMING? Functional programming defines the outputs of a program as a mathematical function of the inputs. Functional programming is a declarative
More informationSubstitution in Structural Operational Semantics and value-passing process calculi
Substitution in Structural Operational Semantics and value-passing process calculi Sam Staton Computer Laboratory University of Cambridge Abstract Consider a process calculus that allows agents to communicate
More informationCourse Modelling of Concurrent Systems Summer Semester 2016 University of Duisburg-Essen
Course Modelling of Concurrent Systems Summer Semester 2016 University of Duisburg-Essen Harsh Beohar LF 265, harsh.beohar@uni-due.de Harsh Beohar Course Modelling of Concurrent Systems 1 Course handler
More informationCS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Dan Grossman Spring 2011
CS152: Programming Languages Lecture 11 STLC Extensions and Related Topics Dan Grossman Spring 2011 Review e ::= λx. e x e e c v ::= λx. e c τ ::= int τ τ Γ ::= Γ, x : τ (λx. e) v e[v/x] e 1 e 1 e 1 e
More informationCMSC 330: Organization of Programming Languages. Operational Semantics
CMSC 330: Organization of Programming Languages Operational Semantics Notes about Project 4, Parts 1 & 2 Still due today (7/2) Will not be graded until 7/11 (along with Part 3) You are strongly encouraged
More informationCS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011
CS 6110 S11 Lecture 25 Typed λ-calculus 6 April 2011 1 Introduction Type checking is a lightweight technique for proving simple properties of programs. Unlike theorem-proving techniques based on axiomatic
More informationAutomated Reasoning. Natural Deduction in First-Order Logic
Automated Reasoning Natural Deduction in First-Order Logic Jacques Fleuriot Automated Reasoning Lecture 4, page 1 Problem Consider the following problem: Every person has a heart. George Bush is a person.
More informationCompositional Software Model Checking
Compositional Software Model Checking Dan R. Ghica Oxford University Computing Laboratory October 18, 2002 Outline of talk program verification issues the semantic challenge programming languages the logical
More informationStateClock: a Tool for Timed Reactive Modules
StateClock: a Tool for Timed Reactive Modules Jonathan S. Ostroff Department Of Computer Science, York University, Toronto, Canada, M3J 1P3. Email: jonathan@yorku.ca Abstract: We provide an overview of
More informationCS611 Lecture 33 Equirecursive types & Recursive domain equations November 19, 2001
CS611 Lecture 33 Equirecursive types & Recursive domain equations November 19, 001 Scribe: Hongzhou Liu and Junhwan Kim Lecturer: Andrew Myers 1 Semantics of recursive types, part There are two basic approaches
More informationExperiences with OWL-S, Directions for Service Composition:
Experiences with OWL-S, Directions for Service Composition: The Cashew Position Barry Norton 1 Knowledge Media Institute, Open University, Milton Keynes, UK b.j.norton@open.ac.uk Abstract. Having used
More informationSoftCOM 2000 THE EFFICIENT SYMBOLIC TOOLS PACKAGE
8th International Conference Software, Telecommunications and Computer Networks, Split, Croatia THE EFFICIENT SYMBOLIC TOOLS PACKAGE Robert Meolic, Tatjana Kapus, Zmago Brezočnik Faculty of Electrical
More informationJOURNAL OF OBJECT TECHNOLOGY
JOURNAL OF OBJECT TECHNOLOGY Online at www.jot.fm. Published by ETH Zurich, Chair of Software Engineering JOT, 2002 Vol. 1, No. 2, July-August 2002 The Theory of Classification Part 2: The Scratch-Built
More information! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !
What Are Formal Methods? David S. Rosenblum ICS 221 Winter 2001! Use of formal notations! first-order logic, state machines, etc.! in software system descriptions! system models, constraints, specifications,
More informationLecture 3: Recursion; Structural Induction
15-150 Lecture 3: Recursion; Structural Induction Lecture by Dan Licata January 24, 2012 Today, we are going to talk about one of the most important ideas in functional programming, structural recursion
More informationPropositional Calculus. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson
Propositional Calculus CS 270: Mathematical Foundations of Computer Science Jeremy Johnson Propositional Calculus Objective: To provide students with the concepts and techniques from propositional calculus
More informationCS 671, Automated Reasoning
CS 671, Automated Reasoning Lesson 20: Type Constructs based on Intersection (II): dependent records, abstract data types, basic algebra April 3, 2001 Last time we discussed record types and their representation
More informationOperational Semantics. One-Slide Summary. Lecture Outline
Operational Semantics #1 One-Slide Summary Operational semantics are a precise way of specifying how to evaluate a program. A formal semantics tells you what each expression means. Meaning depends on context:
More informationDiscrete Mathematics Lecture 4. Harper Langston New York University
Discrete Mathematics Lecture 4 Harper Langston New York University Sequences Sequence is a set of (usually infinite number of) ordered elements: a 1, a 2,, a n, Each individual element a k is called a
More informationA Partial Correctness Proof for Programs with Decided Specifications
Applied Mathematics & Information Sciences 1(2)(2007), 195-202 An International Journal c 2007 Dixie W Publishing Corporation, U. S. A. A Partial Correctness Proof for Programs with Decided Specifications
More informationResource-bound process algebras for Schedulability and Performance Analysis of Real-Time and Embedded Systems
Resource-bound process algebras for Schedulability and Performance Analysis of Real-Time and Embedded Systems Insup Lee 1, Oleg Sokolsky 1, Anna Philippou 2 1 RTG (Real-Time Systems Group) Department of
More informationNegations in Refinement Type Systems
Negations in Refinement Type Systems T. Tsukada (U. Tokyo) 14th March 2016 Shonan, JAPAN This Talk About refinement intersection type systems that refute judgements of other type systems. Background Refinement
More informationA FAMILY OF RESOURCE-BOUND REAL- TIME PROCESS ALGEBRAS
A FAMILY OF RESOURCE-BOUND REAL- TIME PROCESS ALGEBRAS Insup Lee University of Pennsylvania, Philadelphia, PA (lee@cis.upenn.edu) Jin-Young Choi Korea University, Seoul, Korea (choi@formal.korea.ac.kr)
More informationVerification of Bakery algorithm variants for two processes
Verification of Bakery algorithm variants for two processes David Dedi 1, Robert Meolic 2 1 Nova Vizija d.o.o., Vreerjeva ulica 8, SI-3310 Žalec 2 Faculty of Electrical Engineering and Computer Science,
More informationOn the Finiteness of the Recursive Chromatic Number
On the Finiteness of the Recursive Chromatic Number William I Gasarch Andrew C.Y. Lee Abstract A recursive graph is a graph whose vertex and edges sets are recursive. A highly recursive graph is a recursive
More informationDecision Procedures in the Theory of Bit-Vectors
Decision Procedures in the Theory of Bit-Vectors Sukanya Basu Guided by: Prof. Supratik Chakraborty Department of Computer Science and Engineering, Indian Institute of Technology, Bombay May 1, 2010 Sukanya
More informationAn Efficient Algorithm for Computing Non-overlapping Inversion and Transposition Distance
An Efficient Algorithm for Computing Non-overlapping Inversion and Transposition Distance Toan Thang Ta, Cheng-Yao Lin and Chin Lung Lu Department of Computer Science National Tsing Hua University, Hsinchu
More informationFlight Systems are Cyber-Physical Systems
Flight Systems are Cyber-Physical Systems Dr. Christopher Landauer Software Systems Analysis Department The Aerospace Corporation Computer Science Division / Software Engineering Subdivision 08 November
More informationHandout 9: Imperative Programs and State
06-02552 Princ. of Progr. Languages (and Extended ) The University of Birmingham Spring Semester 2016-17 School of Computer Science c Uday Reddy2016-17 Handout 9: Imperative Programs and State Imperative
More informationThe Substitution Model
The Substitution Model Prof. Clarkson Fall 2017 Today s music: Substitute by The Who Review Previously in 3110: simple interpreter for expression language abstract syntax tree (AST) evaluation based on
More informationOn Meaning Preservation of a Calculus of Records
On Meaning Preservation of a Calculus of Records Emily Christiansen and Elena Machkasova Computer Science Discipline University of Minnesota, Morris Morris, MN 56267 chri1101, elenam@morris.umn.edu Abstract
More informationChapter 3. Describing Syntax and Semantics ISBN
Chapter 3 Describing Syntax and Semantics ISBN 0-321-49362-1 Chapter 3 Topics Describing the Meanings of Programs: Dynamic Semantics Copyright 2015 Pearson. All rights reserved. 2 Semantics There is no
More informationStudying Graph Connectivity
Studying Graph Connectivity Freeman Yufei Huang July 1, 2002 Submitted for CISC-871 Instructor: Dr. Robin Dawes Studying Graph Connectivity Freeman Yufei Huang Submitted July 1, 2002 for CISC-871 In some
More informationSemantics with Applications 3. More on Operational Semantics
Semantics with Applications 3. More on Operational Semantics Hanne Riis Nielson, Flemming Nielson (thanks to Henrik Pilegaard) [SwA] Hanne Riis Nielson, Flemming Nielson Semantics with Applications: An
More informationModeling the Real World for Data Mining: Granular Computing Approach
Modeling the Real World for Data Mining: Granular Computing Approach T. Y. Lin Department of Mathematics and Computer Science San Jose State University San Jose California 95192-0103 and Berkeley Initiative
More informationCS 565: Programming Languages. Spring 2008 Tu, Th: 16:30-17:45 Room LWSN 1106
CS 565: Programming Languages Spring 2008 Tu, Th: 16:30-17:45 Room LWSN 1106 Administrivia Who am I? Course web page http://www.cs.purdue.edu/homes/peugster/cs565spring08/ Office hours By appointment Main
More informationThe Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England
The Formal Semantics of Programming Languages An Introduction Glynn Winskel The MIT Press Cambridge, Massachusetts London, England Series foreword Preface xiii xv 1 Basic set theory 1 1.1 Logical notation
More informationProgram Verification. Aarti Gupta
Program Verification Aarti Gupta 1 Agenda Famous bugs Common bugs Testing (from lecture 6) Reasoning about programs Techniques for program verification 2 Famous Bugs The first bug: A moth in a relay (1945)
More informationUsing Formal Description Technique ESTELLE for Manufacturing Systems Specification or Description
Using Formal Description Technique ESTELLE for Manufacturing Systems Specification or Description Sousa, R. a ; Putnik, G. b ; Moreira, F. c Production and Systems Engineering Department - School of Engineering
More informationECDAR: An Environment for Compositional Design and Analysis of Real Time Systems
ECDAR: An Environment for Compositional Design and Analysis of Real Time Systems AlexandreDavid 1,Kim.G.Larsen 1,AxelLegay 2, UlrikNyman 1,AndrzejWąsowski 3 1 ComputerScience,AalborgUniversity,Denmark
More informationFormal Methods in Software Engineering. Lecture 07
Formal Methods in Software Engineering Lecture 07 What is Temporal Logic? Objective: We describe temporal aspects of formal methods to model and specify concurrent systems and verify their correctness
More informationPractical Case Studies in Teaching Concurrency. A. J. Cowling
Practical Case Studies in Teaching Concurrency A. J. Cowling Department of Computer Science, University of Sheffield, Sheffield, S10 2TN, UK. Telephone: +44 114 222 1823; Fax: +44 114 222 1810; Email:
More informationTowards a Software Model Checker for ML. Naoki Kobayashi Tohoku University
Towards a Software Model Checker for ML Naoki Kobayashi Tohoku University Joint work with: Ryosuke Sato and Hiroshi Unno (Tohoku University) in collaboration with Luke Ong (Oxford), Naoshi Tabuchi and
More informationProgramming Languages Lecture 14: Sum, Product, Recursive Types
CSE 230: Winter 200 Principles of Programming Languages Lecture 4: Sum, Product, Recursive Types The end is nigh HW 3 No HW 4 (= Final) Project (Meeting + Talk) Ranjit Jhala UC San Diego Recap Goal: Relate
More informationCOP4020 Programming Languages. Functional Programming Prof. Robert van Engelen
COP4020 Programming Languages Functional Programming Prof. Robert van Engelen Overview What is functional programming? Historical origins of functional programming Functional programming today Concepts
More informationVerifying Safety Property of Lustre Programs: Temporal Induction
22c181: Formal Methods in Software Engineering The University of Iowa Spring 2008 Verifying Safety Property of Lustre Programs: Temporal Induction Copyright 2008 Cesare Tinelli. These notes are copyrighted
More information